Hackers distribute a cracked password manager who steals data, implement ransomware
- Advertisement -
Related Posts
- Advertisement -
- A malignant variant of Keepass is offered online
- The malware implements an infontal and a cobalt strike beacon
- The cyber criminals use access to implement ransomware
Cyber criminals distribute an infected version of a popular password manager, causing them to steal and implement data ransomware. According to security researchers with Secure Threat Intelligence, this is, who recently observed such an attack in the wild.
In an in -depth analysis that was recently published, the researchers said that a customer had downloaded from them what they thought it was Keepass – a popular password manager. They clicked on an advertisement of the Bing Advertisement network and landed on a page that looked exactly like the Keepass website.
However, the site was a typosquatted version of the legitimate password manager. Because Keepass is open source, the attackers have kept all the functionalities of the legitimate tools, but with a little extra cobalt strike on the side.
Purview and Defender
The fake password manager exported all saved passwords in a Cleartext database, which was later passed on to the attackers via the cobalt striking beacon. The attackers then used the login data to gain access to the network and to implement ransomware, that is when Secure was brought in.
Withsecure said that the campaign has the fingerprints of an initial access broker (IAB), a kind of hacking group that gains access to organizations and then sells it to other hack collectives. This specific group is most likely associated with Black Basta, a notorious ransomware operator, and is now followed as UNC4696.
This group was previously linked to campaigns for nitrogen drawers, Bleeping computer reported. Older nitrogen campaigns were linked to the now defeated Blackcat/Alphv group.
So far this was the only observed attack, but that does not mean that there are not others, including warns: “We are not aware of other incidents (ransomware or otherwise) with the help of this cobalt strike Baken Watermerk – this does not mean that it did not take place.”
The typosquatted website that host the Malicious Keepass version was still active at the moment and still served malware to unsuspecting users. Withsecure even said that behind the site was an extensive infrastructure, made to distribute all kinds of malware that occur as legitimate tools.
Maybe you like it too
- Advertisement -
